I'm Justin and I'm going to be going over AD and how you can own it using management
software. And so we'll get started here. So introduction, it's going to pretty much go
over isolation and how you need to isolate AD from everything else and the management
that ‑‑ the management environment of AD and how it's handled. And so I'm specifically
going to be looking at SCOM, HPILO and Hyper-V and how they can be used to own AD, essentially.
And there's no vulnerabilities. We're just going to look at how it's abused if they're
not managed right, essentially. And not configured properly.
So the software used to manage the domain controllers is often overlooked. And as you
know, it handles all Windows auth and it handles all the hashes, which, if you're after
‑‑ if you're after, you know, if you're after, you know, if you're after, you know,
an environment, you want to get all the hashes, because once you get all the hashes, you
can own any box in the domain. And so, yeah. It's the crown jewels of the environments.
And recommendations usually look at ID seg, and so they only look at Active Directory
and the OS level, you know, ID seg. And they don't look at everything that interacts with
Active Directory. And so background, I'm going to go over SCOM, which is used for
monitoring. And, of course, if it's a high‑valued asset, you want to monitor it, right? And
so you're going to use some sort of monitoring. And in this instance, we're going to look
at SCOM. There's a SCOM security guide that is available on the Internet. It's really
long. Nobody probably read it. They probably just hit next, next, next. And there's also
out‑of‑band management devices, so ‑‑ which is network‑level ‑‑ network devices
that allow out‑of‑band management. So if the machine is off, then you can ‑‑ if
you can restart it up, it's used for imaging, et cetera. And so we're going to look at HPI
low in this instance. And then Hyper-V as well. So if you host ‑‑ which Hyper-V
is a virtualization. And so if you host AD on a Hyper-V host, then you also need to
look at the Hyper-V host. And there's warnings online about it that ‑‑ but it's often
overlooked and everybody ignores the host and only looks at the OS level, you know.
ID seg, right? And so first we'll look at SCOM. And it's used for monitoring and alerting
of health. And the SCOM SDK service is what it uses to interact with the agents and everything.
And it's opened up on 5723 and 5724 is what it uses. And these are required ‑‑ these
need to be open if you want to access the SCOM management. Like, if you actually want
to look at the alerts and everything, these have to be open. And so oftentimes organizations
have these open in the firewall in order to look at alerts and everything out of the
environment because they want to act upon them, right? And then Nmap, for instance, won't
scan for these. So if you use Nmap, then you'll need to add these to the list and you'll
see why in a minute. And the SCOM agent as well, which runs on every monitored machine,
it runs as local system. And so it's great because, you know, it's admin access. So you'll
see in a minute. So abusing the functionality of SCOM. So SCOM has this beautiful feature
called task. And they let you run arbitrary DB script on every monitored ‑‑ or every
monitored machine. And so obviously if you can own the SCOM app or the machine, then
you can run arbitrary script as local system on every managed machine. And then you have
to be a member of the SCOM administrator's or author's role, which is application level
roles within SCOM. And you're able to then run these, obviously.
And so ‑‑ so if you have a SCOM instance, then you need to have another instance that
only monitors AD and then one instance that monitors everything else. So obviously they
need to be isolated. That's, you know, the whole goal here. So here's an overview of
the architecture, which was on MSDN or one ‑‑ yeah. But anyway, so it uses the SDK, which
then executes on the root management.
And then that runs the script on the agent‑managed machines. And it usually runs as whatever
the agent is running as. And by default it runs as local system, which I already mentioned.
And so they have an operations manager console as well. And that uses the SDK as well. But
you can also use their libraries that they have as well.
And so here's just a screenshot of the installation. And as you can see, by default it runs as
local system.
And there's many warnings out there on the Internet that it can be very dangerous and
it's bad. But nobody reads them, of course. So we're going to abuse it.
So demo time. Hopefully this is showing here. So we got a few demos.
Can you show me?
Okay.
, not demo time. The demo gods are not with me today. All right, there we go. We have something.
Now it's only on that screen. So I've got to look down. All right. Well ‑‑
okay, cool. All right. So pretty much here's the SCOM operations manager. So we're going to use it
to auth using a low‑privileged account. And that's in the SCOM administrator's role because
that's the way it was added. And that's usually how it's added. And so the SCOM console lists all
monitored machines in this example. One machines is a domain controller. Our new SCOM, what we're
going to execute is going to execute a reverse HTTPS shell and the VB script is written out to
hard disk and then executed in the SCOM task. So as you can see there, we're just running
arbitrary PowerShell and then running the script that's going to start our reverse shell. So
we'll copy that. Create a new SCOM task under the authoring. We're going to create a new SCOM task.
And so next we'll just call it meterpreter. And you can hide the name if you're, you know,
going to be sneaky. And then we want to run it on all Windows computers. And so increase the
timeout value to half an hour. That way we have plenty to migrate into another process. And
then so we create the task. And so this SCOM SD ‑‑ so the actual user who's executing that
has access into this is ‑‑ it only has access on the SCOM machine. And so obviously it's not an
admin on an AD. And then so we're going to run the task. So we ran them against each of the
machines. One's a domain controller. And you see we got the shells back.
And so it runs as the local system. And so we're just going to open a session on the domain
controller.
We get the ‑‑ yeah, we migrate, yeah. We're not migrating yet. So, yeah, it runs as local
system by default. And then we're just going to list the processes, migrate into spooler
because after half an hour it will end because that's what we have our execution as. So you
want to hurry up and migrate. And then ‑‑
And we migrate processes, empty the hashes, end of story. All right, all right. There we go.
There you go. There's the hashes. And now we own that ‑‑ that domain.
And then you can also do it ‑‑ you can also write arbitrary XEs if you want. I'll just
You can also write a reverse shell in VBScript as well which works.
And so in this instance we're just going to write an arbitrary XZ.
So I'll skip ahead to ‑‑ well, I also mentioned here so here's the SCOM administrators
and as you see there's the SCOM SDK users that is admins in the SCOM app and not in
AD obviously.
And so if you're an admin in the SCOM app then you're essentially, you know, an admin
on the DC.
And so we just create another one here and it's pretty much the same thing.
I'll skip through it.
Except it's writing out an arbitrary XZ and then executing it.
And so.
It runs it.
And you can run this across however many machines there are.
So it will spin up an instance on every agent or in every agent.
And then it just runs and empties the hashes out.
And one last example here that I had was.
The SCOM.
So 5724 is used by the SCOM SDK and the operations manager uses 5723.
And so if that's not open but 5724 is open, then you can still use the SDK libraries that
they have.
And you can execute everything using that as well.
You just have to implement it.
And so in this example we're going to import a new management pack.
And it's just going to run arbitrary commands.
And this is just a little app that I wrote that uses the SDK.
Really shitty app but it works.
And so it imports the management.
And then you'll just see you kind of have an interactive, you know, you can execute
whatever you want against it.
So just another example.
Okay.
We'll move on.
So recommendations ‑‑ let me switch this back ‑‑ okay, I'll just move on.
So recommendations is that the SCOM servers used to monitor AD need to be isolated.
Okay.
And not to allow SCOM SDK ports open.
So if they are, they need to be closed off.
SCOM administrators and authors should be limited to only the admins, obviously.
So you'll need another instance that only monitors AD.
Move engineers and everybody else into the read‑only or operator roles and that won't
allow them to execute new ‑‑ and also to reduce the agent as well.
So it doesn't need to run as local system.
And there's an official security guide, too, that you can read.
Go over here.
My bad.
All right.
So for evasion.
So SCOM tasks all need to be audited.
Obviously.
That way if there's any hidden task in there, they need to be audited.
So it also has the execution logs in SCOM.
And by default, it's one week.
And so ‑‑ but you can edit that, which is really good if you want to increase it
or if you're the bad guy and you want to remove the execution logs, you can also edit it.
And then it also logs every auth in the operations manager event log.
And so here's just a screenshot.
Instead of the history.
And so you can obviously edit it to be zero days and then nobody will know what ran.
Or you can edit it for one month if you want to audit.
All right.
So next we're going to go over out‑of‑band management devices.
And every machine usually has out‑of‑band management hardware used for monitoring and
maintenance.
And so it's used for imaging, for restarting, if you run out of hard disk space, et cetera,
et cetera.
It's for emergencies, essentially.
And so the admin interface is usually accessed.
Over.
It's over SSH or IPMI, HTTPS as well.
And it's equivalent to actually having the actual box, like, in your office in your
hands, right?
And many of them ‑‑ well, all except for HP have really shitty default passwords.
And so most of the time organizations might not update those.
And so you can use that as access.
And there's also ‑‑ about a month ago, rapid seven released some really nice ‑‑ really,
really, really good ones.
Remote route exploits that allow admin access without auth.
And they're often hard to update.
Because you have to ‑‑ it's usually very manual.
And so organizations might not update them.
And here's an example of HP ILO that have an override switch that is actually on the
actual machine.
And ‑‑ yeah.
If it's enabled, then it ‑‑ then you don't have to auth at all.
So it's, you know, it's awesome if you're after that machine.
So here's a list of common usernames and ILO is the only one that's actually updated and
all the rest have.
So, one more demo of ‑‑ here, hang on, let me ‑‑
Okay.
Let me switch this back.
The mouse isn't coming over.
Give me one sec.
It's not cooperating.
There we go.
So this is just ‑‑ this is HB ILO here and what's going to happen is we're going
to mount an ISO and we're going to start into Nopics.
And so ‑‑
And then do sticky keys and that's pretty much it.
So you mount the ISO in the HB ILO integrated remote, so ‑‑ oops, let me skip back here.
All right.
So we mount the ISO here within the admin interface.
We start the machine up.
And rather than making you watch it start up, I'll skip ahead here.
So it starts into Nopics and we sticky key the box, that way we can get access, so we're
just going to replace the setc.exe with cmd.exe.
And that's just one way of many to ‑‑ easy way to get access if you actually have access
to the box.
So we'll rename it cmd.exe.
Paste.
Except it doesn't.
Okay.
Okay.
And then override it.
Restart the box.
So we unmount the ISO.
Restart it back up.
Restart it back up.
Hit the shift key five times and there you go.
So obviously you guys know how it works.
All right.
Please.
Do we hit the shift key five times and then we've got a shell ‑‑ a system.
Sorry.
It's nothing new.
And then here you can just add another user or whatever you want, right?
Empty the hashes, et cetera, et cetera.
So we just add a user and then we get access to the box.
Sticky keys off?
No.
All right.
We'll move on here and run out of time.
Okay.
So recommendations.
Update the default password.
It should always be updated, obviously.
Have regular patching for the out of band devices.
Monitor audit logs for unauthorized access.
Configure ‑‑ okay.
Who factor auth if you're able to.
And you should also have another management environment, you know, for all these out of
band devices.
And there's an article online as well that you can read that helps with that.
And so next we'll go over Hyper V and it's just virtualization software that hosts virtual
machines.
Administrator on the host has admin rights on all the VMs that it hosts, obviously.
So here's another example.
Where you can also start into a live disk.
Okay.
And steal the VHD file or either or, I guess.
And so here's just how you mount an ISO and then once you're in it, you can steal the
NTDS and so ‑‑ and then you have all of Active Directory and you can extract the
hashes offline, essentially.
And so alls will know that is the machine unexpectedly restarted, obviously, unless
they look at the host audit logs.
So recommendations.
The Hyper V host, they need to be isolated with AD exactly like everything else.
And the admins on it should only be admins.
So it's easy principle.
And also you need to protect the VHD files as well.
And so, yeah, only admins should have access to those.
And it should also be another management network if available.
Okay.
And there's another article.
And then lastly, vulnerability scanners as well.
Organizations usually do auth scanning.
And so those are ‑‑ and those usually have admin rights on every box.
And so if you're scanning your domain controller with a domain admin creds, the Nessus box
or the Qualys box or whatever you're using should be treated as a domain controller.
I mean, it's ‑‑ you know.
And so, yeah.
You can obviously ‑‑ if you own one of those, then you own AD as well if there isn't
isolation.
So conclusion is everything that interacts with AD needs to be looked at.
So management stuff also has to be properly secured.
And so that's about it.
And here's my ‑‑ here's my information and I'll have everything up online next week.
So ‑‑
Thank you.
Finale.
Thank you.
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